(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732): During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o). OpenSSL is prone to a local information-disclosure vulnerability. Summary: Local attackers can exploit this issue to obtain sensitive information. This may aid in further attacks. @maintainer(s): OpenSSL 1.0.2p is now available, including bug and security fixes. Gentoo Security Padawan (domhnall)
We are carrying a patch for this since https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e18f23bb2a2da949d03482b4a5f3a77c37d97c09
@ Arches, please test and mark stable: =dev-libs/openssl-1.0.2p
x86 stable
amd64 stable
ia64 stable
ppc64 stable
hppa stable
sparc done.
(In reply to Mikle Kolyada from comment #4) > amd64 stable Mikle, you missed to actually commit that change...
(In reply to Laszlo Valko from comment #9) > (In reply to Mikle Kolyada from comment #4) > > amd64 stable > > Mikle, you missed to actually commit that change... He stabled revision noted in summary, instead of package list, apparently. Re-CCed amd64.
arm64 stable
alpha stable
The rest was done and cleaned.
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201811-03 at https://security.gentoo.org/glsa/201811-03 by GLSA coordinator Thomas Deutschmann (whissi).